Do You Know Where Your SIDs Are?

SIDs are a crucial element of Windows 2000 and Windows NT 4.0 security. Keep in mind that within a domain, SID references might exist not only for domain SIDs but also for SIDs of accounts held on the local computer and accounts in any trusted domain. The information here describes several obvious and not-so-obvious places where you might find SID references.

NTFS files and folders. Each NTFS file or folder has three distinct areas in which SIDs might appear as part of an ACL. A discretionary ACL (DACL) lists access permissions for the object. DOMAIN1\JBLOGGS = Full Control is an example of a DACL entry. A system ACL (SACL) specifies whether any auditing will be performed when a file or folder is accessed. To view a file's SACL, select File, Properties in Windows Explorer, and go to the Auditing tab. A SID also identifies the owner of a file or folder.

Registry keys and values. Each NT user profile has an associated HKEY_CURRENT_USER registry subkey, stored in the user profile's ntuser.dat file. Like files and folders, registry subkeys reference SIDs in their access permissions, auditing, and owner identification. Before a new account in a new domain can use a copied NT user profile, you must translate both the security ACLs and the embedded references.

Shared folders and printers. Each NT file share and printer share has permissions similar to an NTFS file's.

NT user rights. In NT User Manager, you can select Policies, User Rights to see the groups or users to which rights are assigned. For example, the Back up files and directories user right is ordinarily assigned to the Administrators and Backup Operators groups, each of which has a SID.

Services accounts. If you've configured NT services to run under a specified account, when you migrate, you must remember to reconfigure the services to use accounts in the new domain.

Microsoft Exchange Server ACLs. Each Exchange mailbox and public folder has an associated ACL for permissions (viewable on Exchange's Permissions tab for each object) and an owner (viewable for mailboxes as the Primary NT Account). The Exchange Site and Configuration objects also have associated ACLs.

Microsoft SQL Server ACLs. If a SQL Server system is using NT-integrated security (as opposed to basic security, which relies on users manually entering usernames and passwords), database objects have ACLs used to grant or deny access.

Web, proxy, and other servers. Other servers might also use SIDs to identify access permissions.